Cyberattack against Georgia and International Response: emerging normative paradigm of ‘responsible state behavior in cyberspace’?

Written by

 

On 28 October 2019, international media reported that a large scale cyber-attack was launched against Georgian websites, servers and other operating systems of government agencies, the courts, various municipal assemblies, state bodies, private sector organizations and media outlets. As a result, the servers and operating systems of these organizations were said to be significantly damaged, severely affecting their functionality. The origin of the attack by that time was not yet known.

After four months, on 20 February 2020 Georgia officially claimed, based on its investigation, that this cyberattack was planned and carried out by the Russia’s military intelligence service, known as the GRU. The UK’s National Cyber Security Centre assessed that the GRU was almost certainly (95%+) responsible for this attack. Russia denies this findings as “unsubstantiated and politically motivated” and underlines that all the accusations are based on the “notorious “highly likely” concept”.

Reaction of international community and ‘responsible state behavior in cyberspace’

Response from other states was swift. USA, UK, Australia, Ukraine, Montenegro, GUAM, majority of EU states (Austria, Netherlands, Poland, Latvia, Lithuania, Estonia, Denmark, Sweden, Norway, Czech Republic, Romania, Iceland) and the EU itself shared Georgia’s position.

This is the second major reported cyberattack against Georgia since 2008 August War cyberattacks, which were addressed by so called Tagliavini Report of 2009. However, the report did not reach any conclusion on their attribution or legality but noted that “[i]f these attacks were directed by a government or governments, it is likely that this form of warfare was used for the first time in an inter-state armed conflict” (Tagliavini Report, Vol II, pp. 217–19).

Most of these state reactions highlight that such cyberattacks show blatant disregard for international law, norms and agreements. However, for the purposes of this post it is interesting that number of these response refer to norms of ‘responsible state behavior in cyberspace’ as the main framework against which cyberattacks are judged as violation of international law: e.g. Netherlands stated that these actions “transgress the norms of responsible state behaviour in cyberspace.” According to Estonia, this conduct goes against “the norms of responsible state behaviour as well as reduces stability in cyberspace.” Sweden strongly condemned “recurring state sponsored cyber-attacks which violate existing norms for responsible state behavior”. Australia emphasized that “the international community – Russia included – has agreed that international law and norms of responsible state behaviour apply in cyberspace.” Iceland shared “concerns about a cyber-attack in Georgia last October, which violates norms for responsible state behavior in cyberspace.” They also further advocated and called their support to promote uphold an international framework of responsible state behavior in cyberspace (e.g. USA, EU, as well as Poland, Romania, Latvia and Australia). So, what is ‘responsible state behavior in cyberspace’?

UN Group of Governmental Experts (GGE)

In December 2018, the UN General Assembly established a Group of Governmental Experts (GGE) pursuant to Resolution 73/266 entitled Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE 2019-2021). One of the tasks of GGE 2019-2021 is to continue to study “norms, rules and principles of responsible behaviour of States […] as well as how international law applies to the use of information and communications technologies by States” (Resolution 73/266, para. 3).

This is not the first of its kind GGE established under the auspices of the UN. Five previous GGEs have been convened – in 2004/2005 (A/RES/58/32), 2009/2010 (A/RES/60/45), 2012/2013 (A/RES/66/24), 2014/2015 (A/RES/68/243), 2016/2017 (A/RES/70/237). While all of these GGEs were focused on developments in the field of information and telecommunications in the context of international security, GGE 2019-2021 is focused on responsible state behaviour in cyberspace. It is to submit its final report in 2021. Resolution 73/266 itself refers to 2010, 2013 and 2015 reports of the previous GGEs and confirms the conclusions that international law, and in particular the Charter of the United Nations, is applicable to information and communications technology (ICT) environment.

‘Responsible state behavior in cyberspace’

Most importantly, the 2015 report tried to answer the question of how international law applies to the use of ICTs. Without in-depth analysis, it offered “non-exhaustive views” on this question and found that: a) states have jurisdiction over the ICT infrastructure located within their territory; b) Existing obligations under international law are applicable to State use of ICTs. In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States. States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms; c) recalling that the Charter applies in its entirety, the Group noted the inherent right of States to take measures consistent with international law and as recognized in the Charter; d) States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. However, the Group noted that the accusations of organizing and implementing wrongful acts brought against States should be substantiated (2015 Report, para. 28).

This was GGE 2014/2015’s last report. It failed to finalize its work, leaving the international regulation of cyberspace without a “centralized forum”, as summarized by Christakis and Bannelier on this blog. However, these findings are viewed as cumulatively developing a normative framework for States in their use of ICTs and can be said to constitute norms of ‘responsible state behavior in cyberspace’, at least for those states who are members of GGE 2019-2021, including Australia, Estonia, Netherlands, Norway, Romania, United Kingdom, United States and Russia. Russia has been the member of all the GGEs since 2004. This fact may explain why these states used more or less similar language mentioning responsible state behaviour in cyberspace in their statements, because the term represents a point of commonality for all of these states.

Australia’s Minister for Foreign Affairs expressly underlined that “a month before Russia’s malicious cyber activity against Georgia,” she co-sponsored with the United States and The Netherlands the Joint Statement on Advancing Responsible State Behaviour in Cyberspace in New York in the margins of UN Leaders Week. She further alleged that “the international community – Russia included – has agreed that international law and norms of responsible state behaviour apply in cyberspace.” EU called upon the international community to continue to contribute to international peace and security by implementing the existing consensus based on the 2010, 2013 and 2015 reports.”

Enforcing ‘responsible state behavior in cyberspace’

The framework of ‘responsible state behavior in cyberspace’ does not envisage any special mechanism or procedures for enforcing cyberspace obligations. Cyberattacks are the most complex phenomenon to counteract with effective legal response, mainly due to the stringent evidentiary standard of attribution. Even proportionate self-defence and countermeasures may be difficult to utilize in real time, urging authors to identify special emergency regimes of unilateral remedies to cyber operations. Thus, it is not surprising that there is no viable prospect for international legal action in most of such cases (one may consider hypothetical chance to seize the International Court of Justice through advisory proceedings). However, Australia for example, observed that “there must be consequences for malicious behaviour in cyberspace” and considered “a range of measures, including public attribution.” In this context, there is also a possibility of collective response from EU, who recently (17 May 2019) established a framework which allows it to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU, including cyber-attacks against third States.

Conclusion

There is no breakthrough development in the paradigm of ‘responsible state behavior in cyberspace’ so far. It merely reiterates the generally acknowledged international legal truth that the existing framework of international law applies to cyberspace. The question is not if international law applies to cyberspace, the question is how it applies, which remains to be answered (despite the tremendous and invaluable academic effort by Tallinn Manual 2.0). The question becomes trickier when cyberattacks are launched against civilian infrastructure or population during peacetime, when it neither falls under the law of armed conflict, nor can be characterized as use of force (or threat of use of fore) due to its low intensity.

It is easier to demonstrate that such malicious interstate cyberattacks violate state sovereignty, non-intervention in the internal affairs, territorial integrity, political independence, or it is in any other manner inconsistent with the Purposes of the United Nations. However, this framework of broad legal notions are insufficient to operationalize “the inherent right of States to take measures consistent with international law and as recognized in the Charter” in response to internationally wrongful acts using ICTs.

Nevertheless, the emerging paradigm of ‘responsible state behavior in cyberspace’, which is far from crystallization into a distinct binding regime, made it possible for states to use a common conceptual and terminological framework to respond to reported cyberattack incidents.

Disclaimer: The author currently serves as Senior Counsellor, Embassy of Georgia to the Kingdom of the Netherlands. The views expressed herewith are the solely author’s own in his personal capacity and do not in any way intend to represent the official views of any organization the author may be affiliated with.

Print Friendly, PDF & Email

Leave a Comment

Comments for this post are closed

Comments

Przemysław Roguski says

February 28, 2020

Dear Georgi,

thank you for this post and for bringing this important topic to EJILTalk! But I would like to push back a bit. You speak of an “emerging paradigm of ‘responsible state behavior in cyberspace’”. I’m not sure this “paradigm” is much more than the lowest common denominator that States could agree on without committing to an actual view on how to legally qualify the cyber attacks against Georgia. Condemning Russia for violating “rules of responsible State behaviour” may sound nice, but what is the substantive meaning of this?

I would dispute the premise that norms of responsible state behavior in cyberspace are “the main framework against which cyberattacks are judged as violation of international law". The 2015 UN GGE report clearly distinguishes between voluntary, non-binding "norms, rules and principles for the responsible behaviour of States" (Title III) and the application of international law to the use of ICTs (Title VI). So, if a State says that Russia breached “rules of responsible behaviour”, we cannot read into that statement an accusation that Russia breached international law. Any breach of international law would need to be spelled out. “Responsible behaviour in cyberspace” is not a rule of IL.

This, in fact, is in my opinion the major weakness of last week’s public attributions and the whole concept. If all that Russia has done is to violate voluntary, non-binding “rules of responsible behaviour”, what is the point? We may find it irresponsible or morally reprehensible, but it would not be illegal. Pointing to “rules of responsible behaviour” does not refer to, nevermind create, any legal obligations. In fact, it weakens the position on the applicability of international law in cyberspace in cases of low-intensity cyber attacks. If the cyber attacks against Georgia did not constitute a violation of international law (be it the rules on respect for sovereignty or non-intervention), States like Russia, Iran or North Korea are legally free to continue behaving like that, while States like Georgia may not employ countermeasures. Norms on responsible state behaviour cannot replace “hard” international law.

Best,
Przemek

Kishor Dere says

February 28, 2020

As usual, there is a time lag between a wrong act being committed and the legal measures being evolved and actually enforced to deal with the menace of cyber warfare. With the rise in frequency and intensity of cyber attacks, members of international community may be compelled to sort out their policy differences and devise a calibrated response to effectively deal with crippling attacks on national sovereignty, security, and economy among others. Such an act by a foreign state or its entities is clearly an interference in internal affairs of other nation(s).

Isabella Brunner says

February 28, 2020

Dear Giorgi,

thank you for your input on this topic!
I have to agree with Przemyslaw. These norms were merely a compromise of the GGE member states, to find at least consensus on some issues, hence the 'voluntary non-binding' annotation to the norms, rules and principles and the fact that these norms are formulated with non-binding language ('should' instead of 'shall' etc). However, I also think that some of these norms basically rephrase or add to already existing international obligations. E.g. 13(c) notes that 'States should not knowingly allow their territory to be used for internationally wrongful acts'. This is basically a slightly amended version of the due diligence principle, which the ICJ already held to be binding in its Corfu Channel decision. So it's kind of a 'schizophrenic' system in a way (but I guess that happens when you try to seek a compromise).

It's also a pity, of course, that states missed the chance to clarify their views on whether they find international law to be violated in this context (and which violation that would be) and rather relied on this 'non-binding' system (even though some of these norms are reiterations of legally binding obligations). This would have been a great opportunity.

Best,
Isabella

Giorgi Nakashidze says

February 29, 2020

Dear Przemyslaw,

Thank you for your comments. I acknowledge and share merits of your observations. However, my post did not and does not aim to represent ‘responsible state behavior in cyberspace’ as a replacement of existing international law.

The motivation behind my input was simpler with clearly defined purpose: explain the reactions of these states - what language they used and where this terminology comes from. That’s may explain why you cannot find the answer on the question “what is the substantive meaning of this?”. This requires further research, which I considered to be beyond the scope of my post.

I raised the question if these states’ reactions, by referring to ‘responsible state behavior in cyberspace’ in coordinated manner, which one cannot ignore when reading the statements, was an “emerging normative paradigm”: it can be fairly labeled as “emerging”, at least it started to exist; it is not normative in a strict legal sense as ‘responsible state behavior in cyberspace’ at the current stage of development consist of voluntary, non-binding rules of behavior, alongside of already existing binding legal rules of international law. It is not a rule of international law, of course. That’s why I concluded that it is far from crystallization into a distinct binding regime; whether we call it a “paradigm”, “rules”, a “model”, or a “framework”, is not decisive in this context.

The main point of your response is that states used the ‘responsible state behavior in cyberspace’ to avoid legal qualification of cyberattacks and without spelling out the violations of specific IL rules, state behavior in cyberspace cannot be judged as violation of international law by merely invoking ‘responsible state behavior in cyberspace’.

I share your argument in this respect to the extent that you are referring to non-binding rules of ‘responsible state behavior in cyberspace’. In such cases as the present one, states mainly act upon political or diplomatic considerations. It is not common practice for states in such context to use clearly defined legal analysis or detailed submissions which rules of international law are breached and why. What I wanted to show is that they found the term which represents a point of commonality for most of these states. Whether it is negative or positive development for existing “hard” international law, is the issue for another discussion.

Using the framework, which is closer to the specific domain (cyberspace), than generally referring to international law, may be perceived as an effort to operationalize public international law via linking its broad application to the phenomenon of cyberspace (‘responsible state behavior in cyberspace’ does not contradict international law). We are talking about ‘promoting an international framework for responsible state behaviour in cyberspace, based on the application of international law’, as Romania stated.

Once again, thank you for your observations which enabled me to further clarify the points of my post.

Best,
Giorgi

Giorgi Nakashidze says

March 4, 2020

Dear Isabella,

Thank you for your insight and sorry for this late comment. I will not reiterate the points from my response to Przemysław's comment as most of them also cover your concerns.

We have to see if this trend continues in future and what GGE's 2021 Report will have in store.

Best,
Giorgi